What’s the effect of GDPR and how is Big Tech responding

General Data Protection Regulation is being introduced later this month, and will impact companies of all shapes and sizes operating in the European Union. But what is GDPR and how are the biggest data-hoarders like Facebook and Alphabet responding?

‘We’re all going to have to change how we think about data protection,’ - UK Information Commissioner Elizabeth Denham, January 2018.

Considering that the current directive dictating data privacy and protection laws across the EU is over 20 years out of date, it is fair to argue that the refreshed update to come into force later this month, General Data Protection Regulation (GDPR), is well overdue.

GDPR will change how businesses of all types process and handle our personal data, and try to address the growing concerns about how it is treated in the digital age, amid the rising threat of cyber-attacks. Although GDPR has been in the pipeline for over four years, many companies are expected to be caught out, and the new legislation is likely to reveal a lot about whether or not companies even understand the data they collect, and just how secure it is.

It will ultimately test a company’s ability to effectively process and handle our data in a secure manner, and how well they can demonstrate that to authorities that are running out of patience and consumers that are becoming increasingly anxious about their data.

What is GDPR and when will it be introduced?

GDPR is legislation regarding data privacy that comes into force in the EU on 25 May 2018. GDPR was approved by the EU Parliament in the middle of April to replace a previous directive covering data protection law.

GDPR can be regarded as an important update to previous laws that failed to address the challenges that technological developments have yielded have over recent decades, bringing data privacy legislation up to speed while ensuring that all EU member states remained aligned when it comes to data privacy law. The UK has chosen to adopt GDPR in full, even after Brexit, to ensure it remains aligned with EU laws after it leaves the bloc.

Although GDPR is focused on the digital side of data, it still covers paper documentation and goes beyond the data collected about customers, covering information about the likes of staff.

The ‘Tortoise and the Hare’ is a rather apt metaphor. Technology evolves at such a rapid pace that governments can barely keep up with the latest development before another one comes along - look at cryptocurrencies. But regulation eventually catches up and tries to get one step ahead of technology. Governments, making up for lost time, look to overhaul regulation rather than tweak it, and judge whether the industry’s interests are aligned with the public’s.

This is demonstrated by the amount of high-profile cyber-attacks in recent years. In the four years alone that it took GDPR to get through the EU Parliament, there was the likes of the WannaCry ransomware attack against computers around the world, and attacks on companies like TalkTalk, Sony, JPMorgan, Tesco and Home Depot, to name just a few.

What companies will be most affected by GDPR?

Although GDPR will become enforceable imminently it is more likely that its introduction will, in reality, be more gradual and that regulators will be more eager to ensure that companies are working toward compliance, rather than penalising them for every mistake – of which there will be many.

The more data a company has, the more it will be impacted by GDPR. All companies hold data of some form, whether it be a big multinational like Amazon that knows our buying habits, to the corner shop that holds your card details on a receipt in the till or your address for a newspaper subscription (you can read about IG’s privacy policy and how we use data here).

There are two primary types of companies targeted. The first are data controllers, which are companies that decide which data to collect and how to collect it. These are the companies that must justify why the data exists in the first place. The second are data processors, which process data on behalf of controllers.

It is clear who GDPR is aimed at and the initial pressure is likely to fall on the big players, those that have more of our personal data than any other company. However, the biggest casualties are more likely to be firms that collect and aggregate data for a living, as people flex their new control over their data and become more conscious of who has access to their data (and why). Many companies may look to bring data collection and analysis work in-house, as outsourcing becomes less practicable, which in turn would damage the availability of specialist skills some of these companies offer.

The trade-off between supplying your personal data in return for a service will grow. Companies looking to harvest and gain from your information while providing nothing in return will have a tough time adapting to the new law. Ironically, this would benefit those providing important services to the public in return for their personal data, like Alphabet and Facebook. Even if their own ability to target adverts is negatively impacted, they will prevail ahead of smaller competition, which will struggle to provide accurate services if they can’t secure the data they need under GDPR, giving the pair further headway in a market that they already dominate.

The fallout following the poorly-timed Cambridge Analytica scandal, combined with the introduction of GDPR will keep Facebook and Mark Zuckerberg well within the crosshairs of regulators on both side of the Atlantic. However, the likes of Alphabet, Microsoft, Apple and social media companies Twitter and SNAP are also likely to be among the first to receive a visit from regulators looking to test their compliance, and are likely to face the most scrutiny while being given the least leeway. Then there’s the big data firm like Intel, IBM, Oracle and HP Enterprise.

Facebook’s troubles also highlight the severe problems with how data is shared between companies, when one firm passes on data to a third party, or purchases data from a third party. Governments need to urgently address how companies trade our personal data with one another for their own gain, and much of GDPR’s success will predicate on how effective it is at tackling that.

It is important to remember that big tech would much rather work with governments to try to shape the regulation they will have to abide by, rather than fight against it and have no say in how their industry is governed. In turn, governments can be willing to let industry govern itself if it can do so effectively (much of big tech’s current operations involve largely unregulated activities), but have to take action should it prove industry can’t.

What’s different about GDPR compared to the previous directive?

‘GDPR makes its applicability very clear - it will apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not,’ – The European Union.

The foundations of GDPR remain the same as the previous directive, but include many substantial changes that will have a material impact on the digital economy.

The biggest issue that GDPR addresses is the ability for a company to operate in the EU but circumnavigate EU laws by being based elsewhere. The previous laws were unclear about where data was being processed and therefore what jurisdiction it fell under. This allowed a tech firm to operate in the EU but argue it processed the data somewhere else, like the US, and flout EU data laws, which has previously led to some high-profile court cases. However, GDPR will apply to all companies processing personal data in the region, regardless of where it is headquartered.

GDPR is significantly different to the previous directive in other ways, including:

Penalties: companies in breach of GDPR can be fined up to a maximum of 4% of the annual revenue they generate globally, or 20 million euros (whichever is greater)

Permission: companies must make terms and conditions simpler and secure consent from subjects using an ‘intelligible and easily accessible form’

Breach notification: cyber-attacks that are likely to ‘result in a risk for the rights and freedoms of individuals’ must be reported within 72 hours and, when they discover a breach of GDPR, report it immediately and without delay

Consumer access: subjects will have the right to access the data that companies have collected, and ask where it is stored and why they are keeping it

Delete data on request: subjects can ask companies to delete data they have about them, or the ‘right to be forgotten’, and prevent that data from being shared with third parties

Privacy by design: this means companies must take data protection into account when designing new systems, not after they have made them. This has been widely adopted already but is only formally coming into force under GDPR.

Data protection officers: the largest controllers and processors will be appointed an officer that will directly liaise with the company about GDPR while reforming the way information must be logged and reported.

But what does this all mean for businesses? In a nutshell, companies have to firstly understand what data they have and where it is stored, then justify the reason they store it, before organising the data in such a manner that any data requests from the public or authorities can be swiftly handled. A tell-tale sign that a company is struggling to comply with GDPR will be any inability to deal with data requests.

Many companies will have to look beyond their own internal systems to truly ensure they are compliant, evaluating how data is shared with any external players like subcontractors or advertising partners. This area will also prove to be a big headache for the likes of cloud-computing companies that are built around data-sharing.

What fines could big tech firms face under the GDPR?

With firms facing fines of up to 4% of annual revenue generated globally for severe breaches of GDPR, the biggest companies in the tech space have a lot to lose if they fail to comply. Firms could see GDPR-related fines of the following based on their latest annual revenue figures:

Annual revenue

Maximum potential fine

Apple

$229.2 billion

$9.2 billion

Amazon

$177.9 billion

$7.1 billion

Alphabet

$110.9 billion

$4.4 billion

Microsoft

$90 billion

$3.6 billion

Facebook

$40.7 billion

$1.6 billion

Twitter

$2.4 billion

$98 million

SNAP

$825 million

$33 million

(All based on financial years to the end of 2017 apart from Microsoft (to June-end 2017) and Apple (to September-end 2017). Amazon and Apple revenue figures represent net sales)

While the potential fines could clearly be significant, it is unlikely that penalties of that severity will be rolled out often, and it is more likely these will be reserved for the most extreme cases. Maximum fines under the old directive were few and far between, and the overall amount of companies that were fined were almost nominal compared to the amount of cases investigated. Still, the ceiling has been lifted by such a degree that it should serve well as a warning to companies, but how often these fines will be dished out and how large they will be is yet to be known.

The added problem posed by Privacy Shield Frameworks

There is a separate (but related) issue to GDPR, which provides further uncertainty for US companies that aim to transfer personal data from the EU back to its domestic market. There are two Privacy Shield Frameworks in operation, one between the EU and the US, and the other between the US and Switzerland. Both were designed by the US Department of Commerce in an attempt to encourage transatlantic commerce. The EU approved the plan in mid-2016 and the Swiss followed in early 2017.

Several of the big tech firms have highlighted that these Privacy Shields are currently subject to several legal challenges which will decide how valid these frameworks are in the future, warning they could struggle to import data into the US from the EU and Switzerland if the frameworks are scrapped and no replacement mechanisms have been put in place.

To be clear, big tech in the US wants these frameworks, as it allows them to transfer data from the EU back to the US. Without them, the likes of Twitter and Alphabet have warned, US firms could be forced to duplicate their expensive IT infrastructure and operations in the EU or face losing frictionless access to over 500 million consumer’s personal data.

How will GDPR impact companies?

For consumers, this is all about their personal data. For companies, it is not about the data, but what they use that data for – advertising. Social media companies, for example, will continue to provide popular platforms for advertisers to reach large audiences after GDPR comes in, but the real skill that is under threat is their ability to help advertisers target their marketing to the right people by utilising the data they collect.

A report released late last year by the London School of Economics (LSE) said around 83% of people consent to having their data processed under current consent rules, but that halves to just 42% when people have to explicitly give their consent (like they will under GDPR), suggesting the amount of data these companies will have to play with could drop significantly when GDPR is enforced.

That report warned the EU could lose up to £58 billion, or 1.3 million jobs, just from the impact of GDPR on direct marketing alone. Another £3 billion, or 66,000 jobs, could be at risk from the impact on online behavioural advertising.

The LSE report also included a survey of over 500 data marketing professionals working across a broad range of sectors including retail, media and marketing, IT and telecoms, financial services, and manufacturing. This revealed:

Companies expect their databases to shrink by about 39% under an opt-in consent system

Databases compiled of information collected under opt-in consent rules could be worth up to one-third more than databases collected under an opt-out system, but not all data will become more valuable

Nearly 46% of companies believe GDPR means they will be less likely to use a third party services when it comes to data versus 45% that believe their use of third parties will remain unchanged, and 10% that think GDPR will encourage them to use more of these services

Stricter consent rules and the inability to compliment data with third party sources would cause profit from data analytics to fall by 11.6% under GDPR

The amount spent by companies on third party data is expected to fall by 10.5%

How are big tech companies responding to GDPR?

Investors in these big tech firms have been given very little guidance on how GDPR will affect their businesses, which represents just one in a long list of regulatory risks they all face.

Alphabet has been quiet about GDPR, but has pointed to the limited impact GDPR will have on Google and its search engine, which generates most of its revenue while requiring ‘very limited information’. But the company still makes considerable sums from selling advertising space on other platforms like YouTube and the inability to effectively target audiences would still be a big blow for the company.

Facebook has the most reason to embrace GDPR and ensure it complies with the new law, and claims the ‘largest cross-functional team in Facebook’s history’ is preparing its transition to GDPR, which is being led by its growing data protection team in Dublin. It has promised that advertising partners will continue to have the same access to its platform after GDPR comes into play, seemingly keen not to restrict access to its customers despite the recent scandal. However, it has stressed it will not take responsibility for ensuring its partners are complying with the GDPR.

While Facebook is right to argue against policing its partners, governments will look to bring in further regulation should GDPR or the companies themselves fail to ensure data is being shared legally, securely, and only to other GDPR-compliant partners. If a GDPR-compliant company continues to provide data to others that are not complying with the new law, then it completely undermines GDPR as a whole.

However, there seems to be confidence behind GDPR further afield that the EU. US Congress warmed to Facebook CEO Mark Zuckerberg’s promise to extend GDPR rules to US users during his recent grilling. On the other hand, Facebook has confirmed reports it is looking to keep its 1.5 billion users in Africa, Asia, and Latin America outside of GDPR to reduce exposure, while promising to roll out the same privacy controls and settings as those it will have to offer in Europe. Facebook’s message is confusing.

In addition to overhauling its terms and conditions, Facebook has already raised the minimum age for users in Europe to 16 in response to GDPR, while requiring adult consent for anyone younger. This also applies to its messaging arm WhatsApp. SNAP followed by stating Snapchat would stop collecting location data about under 16s in Europe, but refrained from raising its minimum age because of its popularity among teenagers.

Twitter does not collect the same level of personal data as some of its rivals and has stressed it is not in the same bucket as other social media companies, claiming the only information it shares with third parties is public information. However, Twitter has warned that GDPR could impact user numbers later this year. That will also be around the same time that advertisers will start to see how GDPR has affected the quality of data being provided by tech-analysis companies, and when advertising dollars could move to other channels.

Conclusion: GDPR is a major threat that also provides opportunity

It is true that companies complying with GDPR will gain an edge over those that don’t. Companies will be more keen than ever to demonstrate how trustworthy they are when it comes to handling personal data and those that prove they have secure systems could thrive. Meanwhile, the reputational and financial impact of cyber-attacks and data-breaches against companies will grow in magnitude.

However, if GDPR as a whole is not a success and unable to address the general public’s concerns without hamstringing business, then regulators will have to head back to the drawing board for (likely very long) rethink.